File API changes needed for safely passing user selected file entities from the file browser component extension to a 3rd party extension.

BUG=chromium-os:11996
TEST=FileAccessPermissionsTest.FileAccessChecks
Review URL: http://codereview.chromium.org/6810037

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@81860 0039d316-1c4b-4281-b951-d872f2087c98

12 files changed, 111 insertions, 50 deletions

diff --git a/webkit/fileapi/file_system_context_unittest.cc b/webkit/fileapi/file_system_context_unittest.cc
index 932ba33..f1fff68 100644
--- a/webkit/fileapi/file_system_context_unittest.cc
+++ b/webkit/fileapi/file_system_context_unittest.cc
@@ -34,7 +34,7 @@ class TestSpecialStoragePolicy : public quota::SpecialStoragePolicy {
     return origin == GURL(kTestOrigins[1]);
   }
 
-  virtual bool IsLocalFileSystemAccessAllowed(const GURL& origin) {
+  virtual bool IsFileHandler(const std::string& extension_id) {
     return false;
   }
 };
diff --git a/webkit/fileapi/file_system_mount_point_provider.h b/webkit/fileapi/file_system_mount_point_provider.h
index 3210331..e331991 100644
--- a/webkit/fileapi/file_system_mount_point_provider.h
+++ b/webkit/fileapi/file_system_mount_point_provider.h
@@ -5,6 +5,9 @@
 #ifndef WEBKIT_FILEAPI_FILE_SYSTEM_MOUNT_POINT_PROVIDER_H_
 #define WEBKIT_FILEAPI_FILE_SYSTEM_MOUNT_POINT_PROVIDER_H_
 
+#include <string>
+#include <vector>
+
 #include "base/file_path.h"
 #include "googleurl/src/gurl.h"
 #include "webkit/fileapi/file_system_path_manager.h"
@@ -18,8 +21,10 @@ class FileSystemMountPointProvider {
  public:
   virtual ~FileSystemMountPointProvider() {}
 
-  // Checks if mount point access is allowed from |origin_url|.
-  virtual bool IsAccessAllowed(const GURL& origin_url) = 0;
+  // Checks if access to |virtual_path| is allowed from |origin_url|.
+  virtual bool IsAccessAllowed(const GURL& origin_url,
+                               FileSystemType type,
+                               const FilePath& virtual_path) = 0;
 
   // Retrieves the root path for the given |origin_url| and |type|, and
   // calls the given |callback| with the root path and name.
@@ -41,6 +46,27 @@ class FileSystemMountPointProvider {
   // Checks if a given |name| contains any restricted names/chars in it.
   // Callable on any thread.
   virtual bool IsRestrictedFileName(const FilePath& filename) const = 0;
+
+  // Returns the list of top level directories that are exposed by this
+  // provider. This list is used to set appropriate child process file access
+  // permissions.
+  virtual std::vector<FilePath> GetRootDirectories() const = 0;
+};
+
+// An interface to control external file system access permissions.
+class ExternalFileSystemMountPointProvider
+    : public FileSystemMountPointProvider {
+ public:
+  // Grant access to all external file system from extension identified with
+  // |extension_id|.
+  virtual void GrantFullAccessToExtension(const std::string& extension_id) = 0;
+  // Grants access to |virtual_path| from |origin_url|.
+  virtual void GrantFileAccessToExtension(
+      const std::string& extension_id,
+      const FilePath& virtual_path) = 0;
+  // Revoke file access from extension identified with |extension_id|.
+  virtual void RevokeAccessForExtension(
+        const std::string& extension_id) = 0;
 };
 
 }  // namespace fileapi
diff --git a/webkit/fileapi/file_system_operation.cc b/webkit/fileapi/file_system_operation.cc
index e242e86..15f8955 100644
--- a/webkit/fileapi/file_system_operation.cc
+++ b/webkit/fileapi/file_system_operation.cc
@@ -626,8 +626,8 @@ bool FileSystemOperation::VerifyFileSystemPathForRead(
     dispatcher_->DidFail(base::PLATFORM_FILE_ERROR_SECURITY);
     return false;
   }
-  if (!file_system_context()->path_manager()->IsAllowedFileSystemType(
-      *origin_url, *type)) {
+  if (!file_system_context()->path_manager()->IsAccessAllowed(
+      *origin_url, *type, *virtual_path)) {
     dispatcher_->DidFail(base::PLATFORM_FILE_ERROR_SECURITY);
     return false;
   }
@@ -663,8 +663,8 @@ bool FileSystemOperation::VerifyFileSystemPathForWrite(
     dispatcher_->DidFail(base::PLATFORM_FILE_ERROR_SECURITY);
     return false;
   }
-  if (!file_system_context()->path_manager()->IsAllowedFileSystemType(
-      *origin_url, *type)) {
+  if (!file_system_context()->path_manager()->IsAccessAllowed(
+      *origin_url, *type, *virtual_path)) {
     dispatcher_->DidFail(base::PLATFORM_FILE_ERROR_SECURITY);
     return false;
   }
diff --git a/webkit/fileapi/file_system_path_manager.cc b/webkit/fileapi/file_system_path_manager.cc
index 16fc60b..cefdab8 100644
--- a/webkit/fileapi/file_system_path_manager.cc
+++ b/webkit/fileapi/file_system_path_manager.cc
@@ -47,7 +47,7 @@ FileSystemPathManager::FileSystemPathManager(
               file_message_loop,
               profile_path)) {
 #if defined(OS_CHROMEOS)
-  local_provider_.reset(
+  external_provider_.reset(
       new chromeos::CrosMountPointProvider(special_storage_policy));
 #endif
 }
@@ -64,9 +64,9 @@ void FileSystemPathManager::GetFileSystemRootPath(
     sandbox_provider_->GetFileSystemRootPath(
         origin_url, type, create, callback_ptr);
     break;
-  case kFileSystemTypeLocal:
-    if (local_provider_.get()) {
-      local_provider_->GetFileSystemRootPath(
+  case kFileSystemTypeExternal:
+    if (external_provider_.get()) {
+      external_provider_->GetFileSystemRootPath(
           origin_url, type, create, callback_ptr);
     } else {
       callback_ptr->Run(false, FilePath(), std::string());
@@ -88,9 +88,9 @@ FilePath FileSystemPathManager::GetFileSystemRootPathOnFileThread(
     return sandbox_provider_->GetFileSystemRootPathOnFileThread(
         origin_url, type, virtual_path, create);
     break;
-  case kFileSystemTypeLocal:
-    return local_provider_.get() ?
-        local_provider_->GetFileSystemRootPathOnFileThread(
+  case kFileSystemTypeExternal:
+    return external_provider_.get() ?
+        external_provider_->GetFileSystemRootPathOnFileThread(
            origin_url, type, virtual_path, create) :
         FilePath();
   case kFileSystemTypeUnknown:
@@ -112,9 +112,11 @@ bool FileSystemPathManager::IsAllowedScheme(const GURL& url) const {
 std::string FileSystemPathManager::GetFileSystemTypeString(
     fileapi::FileSystemType type) {
   if (type == fileapi::kFileSystemTypeTemporary)
-    return fileapi::SandboxMountPointProvider::kTemporaryName;
+    return fileapi::kTemporaryName;
   else if (type == fileapi::kFileSystemTypePersistent)
-    return fileapi::SandboxMountPointProvider::kPersistentName;
+    return fileapi::kPersistentName;
+  else if (type == fileapi::kFileSystemTypeExternal)
+    return fileapi::kExternalName;
   return std::string();
 }
 
@@ -125,9 +127,9 @@ bool FileSystemPathManager::IsRestrictedFileName(
   case kFileSystemTypeTemporary:
   case kFileSystemTypePersistent:
     return sandbox_provider_->IsRestrictedFileName(filename);
-  case kFileSystemTypeLocal:
-    return local_provider_.get() ?
-               local_provider_->IsRestrictedFileName(filename) : true;
+  case kFileSystemTypeExternal:
+    return external_provider_.get() ?
+               external_provider_->IsRestrictedFileName(filename) : true;
   case kFileSystemTypeUnknown:
   default:
     NOTREACHED();
@@ -136,17 +138,17 @@ bool FileSystemPathManager::IsRestrictedFileName(
 }
 
 // Checks if an origin has access to a particular filesystem type.
-bool FileSystemPathManager::IsAllowedFileSystemType(
-    GURL origin, FileSystemType type) {
+bool FileSystemPathManager::IsAccessAllowed(
+    const GURL& origin, FileSystemType type, const FilePath& virtual_path) {
   switch (type) {
     case kFileSystemTypeTemporary:
     case kFileSystemTypePersistent:
-      if (!sandbox_provider_->IsAccessAllowed(origin))
+      if (!sandbox_provider_->IsAccessAllowed(origin, type, virtual_path))
         return false;
       break;
-    case kFileSystemTypeLocal:
-      if (!local_provider_.get() ||
-          !local_provider_->IsAccessAllowed(origin)) {
+    case kFileSystemTypeExternal:
+      if (!external_provider_.get() ||
+          !external_provider_->IsAccessAllowed(origin, type, virtual_path)) {
         return false;
       }
       break;
@@ -164,3 +166,5 @@ COMPILE_ASSERT(int(WebFileSystem::TypeTemporary) == \
                int(fileapi::kFileSystemTypeTemporary), mismatching_enums);
 COMPILE_ASSERT(int(WebFileSystem::TypePersistent) == \
                int(fileapi::kFileSystemTypePersistent), mismatching_enums);
+COMPILE_ASSERT(int(WebFileSystem::TypeExternal) == \
+               int(fileapi::kFileSystemTypeExternal), mismatching_enums);
diff --git a/webkit/fileapi/file_system_path_manager.h b/webkit/fileapi/file_system_path_manager.h
index 19718ae..f914a7d 100644
--- a/webkit/fileapi/file_system_path_manager.h
+++ b/webkit/fileapi/file_system_path_manager.h
@@ -20,7 +20,7 @@ class MessageLoopProxy;
 
 namespace fileapi {
 
-class FileSystemMountPointProvider;
+class ExternalFileSystemMountPointProvider;
 class SandboxMountPointProvider;
 
 // TODO(kinuko): Probably this module must be called FileSystemPathUtil
@@ -81,13 +81,19 @@ class FileSystemPathManager {
   bool IsRestrictedFileName(FileSystemType type,
                             const FilePath& filename);
 
-  // Checks if an origin has access to a particular filesystem type.
-  bool IsAllowedFileSystemType(GURL origin, FileSystemType type);
+  // Checks if an origin has access to a particular filesystem type and
+  // file element represented by |virtual_path|.
+  bool IsAccessAllowed(const GURL& origin, FileSystemType type,
+                       const FilePath& virtual_path);
 
   SandboxMountPointProvider* sandbox_provider() const {
     return sandbox_provider_.get();
   }
 
+  ExternalFileSystemMountPointProvider* external_provider() const {
+    return external_provider_.get();
+  }
+
   bool is_incognito() const {
     return is_incognito_;
   }
@@ -96,7 +102,7 @@ class FileSystemPathManager {
   const bool is_incognito_;
   const bool allow_file_access_from_files_;
   scoped_ptr<SandboxMountPointProvider> sandbox_provider_;
-  scoped_ptr<FileSystemMountPointProvider> local_provider_;
+  scoped_ptr<ExternalFileSystemMountPointProvider> external_provider_;
 
   DISALLOW_COPY_AND_ASSIGN(FileSystemPathManager);
 };
diff --git a/webkit/fileapi/file_system_path_manager_unittest.cc b/webkit/fileapi/file_system_path_manager_unittest.cc
index 8a99b84..dbdef10 100644
--- a/webkit/fileapi/file_system_path_manager_unittest.cc
+++ b/webkit/fileapi/file_system_path_manager_unittest.cc
@@ -173,7 +173,7 @@ class TestSpecialStoragePolicy : public quota::SpecialStoragePolicy {
     return true;
   }
 
-  virtual bool IsLocalFileSystemAccessAllowed(const GURL& origin) {
+  virtual bool IsFileHandler(const std::string& extension_id) {
     return true;
   }
 };
diff --git a/webkit/fileapi/file_system_types.h b/webkit/fileapi/file_system_types.h
index 8b7fe01..cfd2cb1 100644
--- a/webkit/fileapi/file_system_types.h
+++ b/webkit/fileapi/file_system_types.h
@@ -10,7 +10,7 @@ namespace fileapi {
 enum FileSystemType {
   kFileSystemTypeTemporary,
   kFileSystemTypePersistent,
-  kFileSystemTypeLocal,
+  kFileSystemTypeExternal,
   kFileSystemTypeUnknown,
 };
 
diff --git a/webkit/fileapi/file_system_util.cc b/webkit/fileapi/file_system_util.cc
index 75013da..f3e6278 100644
--- a/webkit/fileapi/file_system_util.cc
+++ b/webkit/fileapi/file_system_util.cc
@@ -15,9 +15,13 @@
 
 namespace fileapi {
 
-static const char kPersistentDir[] = "/persistent/";
-static const char kTemporaryDir[] = "/temporary/";
-static const char kLocalDir[] = "/local/";
+const char kPersistentDir[] = "/persistent/";
+const char kTemporaryDir[] = "/temporary/";
+const char kExternalDir[] = "/external/";
+
+const char kPersistentName[] = "Persistent";
+const char kTemporaryName[] = "Temporary";
+const char kExternalName[] = "External";
 
 bool CrackFileSystemURL(const GURL& url, GURL* origin_url, FileSystemType* type,
                         FilePath* file_path) {
@@ -77,9 +81,9 @@ bool CrackFileSystemURL(const GURL& url, GURL* origin_url, FileSystemType* type,
   } else if (path.compare(0, strlen(kTemporaryDir), kTemporaryDir) == 0) {
     file_system_type = kFileSystemTypeTemporary;
     path = path.substr(strlen(kTemporaryDir));
-  } else if (path.compare(0, strlen(kLocalDir), kLocalDir) == 0) {
-    file_system_type = kFileSystemTypeLocal;
-    path = path.substr(strlen(kLocalDir));
+  } else if (path.compare(0, strlen(kExternalDir), kExternalDir) == 0) {
+    file_system_type = kFileSystemTypeExternal;
+    path = path.substr(strlen(kExternalDir));
   } else {
     return false;
   }
@@ -114,8 +118,8 @@ GURL GetFileSystemRootURI(
   case kFileSystemTypePersistent:
     path += (kPersistentDir + 1);  // We don't want the leading slash.
     break;
-  case kFileSystemTypeLocal:
-    path += (kLocalDir + 1);  // We don't want the leading slash.
+  case kFileSystemTypeExternal:
+    path += (kExternalDir + 1);  // We don't want the leading slash.
     break;
   default:
     NOTREACHED();
diff --git a/webkit/fileapi/file_system_util.h b/webkit/fileapi/file_system_util.h
index b858c1b..272e432 100644
--- a/webkit/fileapi/file_system_util.h
+++ b/webkit/fileapi/file_system_util.h
@@ -13,6 +13,13 @@ class GURL;
 
 namespace fileapi {
 
+extern const char kPersistentDir[];
+extern const char kTemporaryDir[];
+extern const char kExternalDir[];
+extern const char kPersistentName[];
+extern const char kTemporaryName[];
+extern const char kExternalName[];
+
 // The file_path this returns will be using '/' as a path separator, no matter
 // what platform you're on.
 bool CrackFileSystemURL(const GURL& url, GURL* origin_url, FileSystemType* type,
diff --git a/webkit/fileapi/sandbox_mount_point_provider.cc b/webkit/fileapi/sandbox_mount_point_provider.cc
index 5768ed9..5e80296 100644
--- a/webkit/fileapi/sandbox_mount_point_provider.cc
+++ b/webkit/fileapi/sandbox_mount_point_provider.cc
@@ -111,9 +111,6 @@ namespace fileapi {
 const FilePath::CharType SandboxMountPointProvider::kFileSystemDirectory[] =
     FILE_PATH_LITERAL("FileSystem");
 
-const char SandboxMountPointProvider::kPersistentName[] = "Persistent";
-const char SandboxMountPointProvider::kTemporaryName[] = "Temporary";
-
 SandboxMountPointProvider::SandboxMountPointProvider(
     FileSystemPathManager* path_manager,
     scoped_refptr<base::MessageLoopProxy> file_message_loop,
@@ -126,7 +123,11 @@ SandboxMountPointProvider::SandboxMountPointProvider(
 SandboxMountPointProvider::~SandboxMountPointProvider() {
 }
 
-bool SandboxMountPointProvider::IsAccessAllowed(const GURL& origin_url) {
+bool SandboxMountPointProvider::IsAccessAllowed(const GURL& origin_url,
+                                                FileSystemType type,
+                                                const FilePath& unused) {
+  if (type != kFileSystemTypeTemporary && type != kFileSystemTypePersistent)
+    return false;
   // We essentially depend on quota to do our access controls.
   return path_manager_->IsAllowedScheme(origin_url);
 }
@@ -211,6 +212,14 @@ bool SandboxMountPointProvider::IsRestrictedFileName(const FilePath& filename)
   return false;
 }
 
+std::vector<FilePath> SandboxMountPointProvider::GetRootDirectories() const {
+  NOTREACHED();
+  // TODO(ericu): Implement this method and check for access permissions as
+  // fileBrowserPrivate extension API does. We currently have another mechanism,
+  // but we should switch over.
+  return  std::vector<FilePath>();
+}
+
 void SandboxMountPointProvider::GetFileSystemRootPath(
     const GURL& origin_url, fileapi::FileSystemType type,
     bool create, FileSystemPathManager::GetRootPathCallback* callback_ptr) {
@@ -278,12 +287,12 @@ std::string SandboxMountPointProvider::OriginEnumerator::Next() {
 
 bool SandboxMountPointProvider::OriginEnumerator::HasTemporary() {
   return !current_.empty() && file_util::DirectoryExists(current_.AppendASCII(
-      SandboxMountPointProvider::kTemporaryName));
+      fileapi::kTemporaryName));
 }
 
 bool SandboxMountPointProvider::OriginEnumerator::HasPersistent() {
   return !current_.empty() && file_util::DirectoryExists(current_.AppendASCII(
-      SandboxMountPointProvider::kPersistentName));
+      fileapi::kPersistentName));
 }
 
 bool SandboxMountPointProvider::GetOriginBasePathAndName(
diff --git a/webkit/fileapi/sandbox_mount_point_provider.h b/webkit/fileapi/sandbox_mount_point_provider.h
index be85f77..51a9414 100644
--- a/webkit/fileapi/sandbox_mount_point_provider.h
+++ b/webkit/fileapi/sandbox_mount_point_provider.h
@@ -6,6 +6,7 @@
 #define WEBKIT_FILEAPI_SANDBOX_MOUNT_POINT_PROVIDER_H_
 
 #include <string>
+#include <vector>
 
 #include "base/file_path.h"
 #include "googleurl/src/gurl.h"
@@ -28,8 +29,10 @@ class SandboxMountPointProvider : public FileSystemMountPointProvider {
       const FilePath& profile_path);
   virtual ~SandboxMountPointProvider();
 
-  // Checks if mount point access is allowed from |origin_url|.
-  virtual bool IsAccessAllowed(const GURL& origin_url);
+  // Checks if access to |virtual_path| is allowed from |origin_url|.
+  virtual bool IsAccessAllowed(const GURL& origin_url,
+                               FileSystemType type,
+                               const FilePath& virtual_path);
 
   // Retrieves the root path for the given |origin_url| and |type|, and
   // calls the given |callback| with the root path and name.
@@ -51,9 +54,6 @@ class SandboxMountPointProvider : public FileSystemMountPointProvider {
   // The FileSystem directory name.
   static const FilePath::CharType kFileSystemDirectory[];
 
-  static const char kPersistentName[];
-  static const char kTemporaryName[];
-
   const FilePath& base_path() const {
     return base_path_;
   }
@@ -61,6 +61,8 @@ class SandboxMountPointProvider : public FileSystemMountPointProvider {
   // Checks if a given |name| contains any restricted names/chars in it.
   virtual bool IsRestrictedFileName(const FilePath& filename) const;
 
+  virtual std::vector<FilePath> GetRootDirectories() const;
+
   // Returns the origin identifier string, which is used as a part of the
   // sandboxed path component, for the given |url|.
   static std::string GetOriginIdentifierFromURL(const GURL& url);
diff --git a/webkit/fileapi/webkit_fileapi.gypi b/webkit/fileapi/webkit_fileapi.gypi
index b9c79ec..ca25491 100644
--- a/webkit/fileapi/webkit_fileapi.gypi
+++ b/webkit/fileapi/webkit_fileapi.gypi
@@ -58,6 +58,9 @@
         ['chromeos==1', {
           'sources': [
             '../chromeos/fileapi/cros_mount_point_provider.cc',
+            '../chromeos/fileapi/cros_mount_point_provider.h',
+            '../chromeos/fileapi/file_access_permissions.cc',
+            '../chromeos/fileapi/file_access_permissions.h',
           ],
         }],
       ],